Update doc for #2250
This commit is contained in:
parent
c6358d7587
commit
fde469b0e1
|
@ -82,8 +82,11 @@ Connection
|
|||
``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
|
||||
also use cafile and capath parameters.
|
||||
|
||||
- **Server port**: TCP port used by LDAP server. Can be overridden by
|
||||
an LDAP URI in server host.
|
||||
- **Server port**: TCP port used by LDAP server if different from the standard
|
||||
ports. Can also be specified in the server host URI.
|
||||
- **Verify LDAP server certificate**: It is highly recommended to verify the
|
||||
identity of the remote server. This setting is only enforced for LDAPS or
|
||||
TLS connections.
|
||||
- **Users search base**: Base of search in the LDAP directory.
|
||||
- **Account**: DN used to connect to LDAP server. By default, anonymous
|
||||
bind is used.
|
||||
|
@ -95,6 +98,12 @@ Connection
|
|||
(see
|
||||
`Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
|
||||
documentation).
|
||||
- **CA file path**: This allows you to override the default system-wide
|
||||
certificate authorities by giving a single file containing the CA used by the
|
||||
LDAP server.
|
||||
- **CA directory path**: This allows you to override the default system-wide
|
||||
certificate authorities by giving the path of a directory containing your
|
||||
trusted certificates.
|
||||
|
||||
|
||||
.. attention::
|
||||
|
|
|
@ -89,6 +89,14 @@ Parameters:
|
|||
- **ldapAttributeId**: RDN attribute of configuration entry (optional)
|
||||
- **ldapAttributeContent**: attribute used to store configuration
|
||||
values, must be multivalued (optional)
|
||||
- **ldapVerify**: When using a LDAPS or TLS server, whether or not to validate the server certificate. Possible values: ``require``, ``optional`` or ``none``.
|
||||
- **ldapCAFile**: This allows you to override the default system-wide
|
||||
certificate authorities by giving a single file containing the CA used by the
|
||||
LDAP server.
|
||||
- **ldapCAPath**: This allows you to override the default system-wide
|
||||
certificate authorities by giving the path of a directory containing your
|
||||
trusted certificates.
|
||||
|
||||
|
||||
.. |image0| image:: /documentation/configuration-ldap.png
|
||||
:class: align-center
|
||||
|
|
|
@ -54,6 +54,9 @@ Name Comment Default value
|
|||
**ldapObjectClass** Objectclass of the entry applicationProcess
|
||||
**ldapAttributeId** Attribute storing session ID cn
|
||||
**ldapAttributeContent** Attribute storing session content description
|
||||
**ldapVerify** Perform certificate validation require (use none to disable)
|
||||
**ldapCAFile** Path of CA file bundle (system CA bundle)
|
||||
**ldapCAPath** Perform CA directory (system CA bundle)
|
||||
======================== ================================= ===============================
|
||||
|
||||
Security
|
||||
|
|
|
@ -39,6 +39,28 @@ backups and a rollback plan ready!
|
|||
- Incremental lock times values can now be set by using Manager.
|
||||
It must a list of comma separated values. Default values are ``5, 15, 60, 300, 600``
|
||||
|
||||
LDAP certificate validation
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS), see `CVE-2020-16093 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250>`__. Starting from this release, certificate validation is now enabled by default, including on existing installations.
|
||||
|
||||
If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command ::
|
||||
|
||||
/your/path/to/lemonldap-ng-cli set ldapVerify none
|
||||
|
||||
If you use LDAP as a configuration storage, and wand to temporarily disable certificate validation, you must make the following addition to `/etc/lemonldap-ng/lemonldap-ng.ini` ::
|
||||
|
||||
[configuration]
|
||||
...
|
||||
ldapVerify = none
|
||||
|
||||
If you use LDAP as a session backend, and wand to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options:
|
||||
|
||||
* key: ``ldapVerify``
|
||||
* value: ``none``
|
||||
|
||||
Please note that it is HIGHLY recommended to set certificate validation to `require` when contacting LDAP servers over a secure transport to avoid man-in-the-middle attacks.
|
||||
|
||||
2.0.8
|
||||
-----
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user